Hi,
CHANGES_2.4 has been updated with the SECURITY tags and is available from httpd.a.o. However, http://www.apache.org/dist/httpd/CHANGES_2.4.39 still reflects the file without these SECURITY items. I won't be able to update it before Friday, so feel free to fix it in the meantime. CJ > Message du 02/04/19 03:04 > De : drugg...@apache.org > A : c...@httpd.apache.org > Copie à : > Objet : svn commit: r33393 - /release/httpd/CHANGES_2.4 > > Author: druggeri > Date: Tue Apr 2 01:04:50 2019 > New Revision: 33393 > > Log: > Correct changelog for vulnerabilities > > Modified: > release/httpd/CHANGES_2.4 > > Modified: release/httpd/CHANGES_2.4 > ============================================================================== > --- release/httpd/CHANGES_2.4 (original) > +++ release/httpd/CHANGES_2.4 Tue Apr 2 01:04:50 2019 > @@ -1,13 +1,50 @@ > -*- coding: utf-8 -*- > Changes with Apache 2.4.39 > + *) SECURITY: CVE-2019-0197 (cve.mitre.org) > + mod_http2: fixes a possible crash when HTTP/2 was enabled for a http: > + host or H2Upgrade was enabled for h2 on a https: host. An Upgrade > + request from http/1.1 to http/2 that was not the first request on a > + connection could lead to a misconfiguration and crash. Servers that > + never enabled the h2 protocol or only enabled it for https: and > + did not set "H2Upgrade on" are unaffected by this issue. > + [Stefan Eissing] > + > + *) SECURITY: CVE-2019-0196 (cve.mitre.org) > + mod_http2: using fuzzed network input, the http/2 request > + handling could be made to access freed memory in string > + comparision when determining the method of a request and > + thus process the request incorrectly. [Stefan Eissing] > + > + *) SECURITY: CVE-2019-0211 (cve.mitre.org) > + MPMs unix: Fix a local priviledge escalation vulnerability by not > + maintaining each child's listener bucket number in the scoreboard, > + preventing unprivileged code like scripts run by/on the server (e.g. via > + mod_php) from modifying it persistently to abuse the priviledged main > + process. [Charles Fol , Yann Ylavic] > + > + *) SECURITY: CVE-2019-0196 (cve.mitre.org) > + mod_http2: using fuzzed network input, the http/2 request > + handling could be made to access freed memory in string > + comparision when determining the method of a request and > + thus process the request incorrectly. [Stefan Eissing] > + > + *) SECURITY: CVE-2019-0217 (cve.mitre.org) > + mod_auth_digest: Fix a race condition checking user credentials which > + could allow a user with valid credentials to impersonate another, > + under a threaded MPM. PR 63124. [Simon Kappel ] > + > + *) SECURITY: CVE-2019-0215 (cve.mitre.org) > + mod_ssl: Fix access control bypass for per-location/per-dir client > + certificate verification in TLSv1.3. > + > + *) SECURITY: CVE-2019-0220 (cve.mitre.org) > + Merge consecutive slashes in URL's. Opt-out with > + `MergeSlashes OFF`. [Eric Covener] > > *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend > connection is recycled/reused to avoid a possible crash with some SSLProxy > configurations in or context. PR 63256. [Yann Ylavic] > > - *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure. > - [Michael Kaufmann ] > - > *) mod_log_config: Support %{c}h for conn-hostname, %h for useragent_host > PR 55348 > > @@ -59,13 +96,6 @@ Changes with Apache 2.4.39 > *) mod_cache_socache: Avoid reallocations and be safe with outgoing data > lifetime. [Yann Ylavic] > > - *) MPMs unix: bind the bucket number of each child to its slot number, for a > - more efficient per bucket maintenance. [Yann Ylavic] > - > - *) mod_auth_digest: Fix a race condition. Authentication with valid > - credentials could be refused in case of concurrent accesses from > - different users. PR 63124. [Simon Kappel ] > - > *) mod_http2: enable re-use of slave connections again. Fixed slave connection > keepalives counter. [Stefan Eissing] > > > >
